We have a certification body with an client for ISO 27001 that has within its (client of the CB) scope ‘cloud storage’ but this is hosted by a third party company. We have required evidence of how this can be included in the scope and how it can be incorporated into the client’s ISMS. We have accepted this situation if the third-party company carrying out the ‘cloud storage’ has an accredited ISO 27001 certificate for this activity and the CB’s client has to ensure that this is current and maintained.
Does the committee consider this acceptable?
March 2018
It is the responsibility of the certified client to ensure the cloud storage provider meets requirements:
ISO 27001 requires in #8.1 Operational planning and control
“The organization shall ensure that outsourced processes are determined and controlled.”
Although ensuring the cloud storage provider holds an accredited ISO 27001 certificates is, of course, one means to control that process (“cloud storage”) is not the only one possibility.